Welcome to the Consumerist Archives

Thanks for visiting Consumerist.com. As of October 2017, Consumerist is no longer producing new content, but feel free to browse through our archives. Here you can find 12 years worth of articles on everything from how to avoid dodgy scams to writing an effective complaint letter. Check out some of our greatest hits below, explore the categories listed on the left-hand side of the page, or head to CR.org for ratings, reviews, and consumer news.

The Government Accountability Office issued a report on July 5th concerning the issue of consumer privacy and data breaches in response to several bills in Congress that carry a national notice requirement. The GAO was asked to assess the costs and benefits of such a requirement. There’s good news and (sorta) bad news. First the good news:

• Even though data breaches happen fairly frequently, they are less often used for ID theft purposes that you might expect.

“For example, in reviewing the 24 largest breaches reported in the media from January 2000 through June 2005, GAO found that 3 included evidence of resulting fraud on existing accounts and 1 included evidence of unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, there was not sufficient information to make a determination.”

Now, the bad news:

The Government Accountability Office is concerned about the costs and challenges involved for companies if they are required to notify consumers of every data breach.

The full extent of the connection between info breaches and ID theft is unknown, because it’s difficult to connect ID theft to where the information was stolen from.

The Government Accountability Office recommends that a “threat level” type system be used to determine if the breach warrants notification. They claim that using such a risked based approach, “could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk.”

The report claims that it has “no recommendations,” but the language of the report suggests otherwise. Consumer advocates are taking issue with the GAO’s “not-a-recommendation” of a risk-assessment plan, in part because they believe that every consumer who has been the victim of a data breach should know about it, and also because the connection between data breaches and ID theft is difficult to assess, thus making it somewhat unbelievable that an accurate and useful risk-assessment program could be created.

The GAO does point out that requiring disclosure of data breaches would likely have a positive affect on security, but seems very concerned about the associated costs.

Michelle at Consumer’s Union says about the report, “Consumers Union thinks that because law enforcement and business associations can’t even say how often data breaches lead to harm, letting each business that has a security breach decide not to tell individuals about the breach because the business hasn’t determined that there is a risk of harm to consumers would be a very big loophole in any notice requirement.